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ABSTRACT 

An algorithm is presented for computing the exact 
failure probability for binary systems represented as fault 
trees. This algorithm does not rely on cut sets. Instead, 
it applies recursive pivotal decomposition together with 
probabilistic structural reductions and modularization 
directly to the fault tree. A further capability of the 
algorithm is the sequential printing of equations to form a 
function for a specific fault tree which computes system 
failure probability given the basic event probabilities. 
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I . INTRODUCTION 



Fault trees are used in many fields of application to 
aid in assessing the probability of failure of a complex 
binary system as a result of sub-system or component failures. 
An algorithm is presented here for computing the exact failure 
probability for binary systems represented as fault trees. 

Due to the improved efficiency of this algorithm over those 
currently in use, reliability engineers and other users will 
find it useful for conducting fault tree analyses in which 
multiple computations of failure probabilities are needed. 

Fault trees are commonly used models to represent failures 
in complex electrical, mechanical, and other systems. Their 
use- originated in 1961 at Bell Telephone Laboratories in the 
safety assessment of the Minuteman Launch-Control System 
[Ref. 1] . Since then many other applications for fault trees 
have been found. Arnborg [Ref. 2] refers to their use in 
weapons effectiveness models, and Atkinson [Ref. 3] uses a 
fault tree model to analyze a naval weapons system. Ball 
[Ref. 4] uses fault trees to identify critical zones and 
components of aircraft subjected to anti-aircraft fire. Other 
areas in which fault tree models have been applied include 
nuclear power plant safety [Refs. 5, 6, 7, 8], electrical sys- 
tems [Ref. 9], computer hardware design [Ref. 10], and chemical 
processing [Ref. 11]. 
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Efficient methods for computing the probability of system 
failure or, equivalently, system reliability are needed for 
users with large fault trees to analyze. One use for such 
computations is in obtaining importance measures for basic 
events or component failures. Imporianoe measures are methods 
of assigning numerical values to basic events which in some 
way gauge how critical a component is to system reliability. 
These values are useful for sensitivity analysis. For example 
in an electrical circuit the failure of a component linked in 
series will be more critical to system reliability than will 
the same component linked in parallel. In a complex system 
such structural characteristics may not be so obvious. Impor- 
tance measures will reflect the relative importance to the 
system resulting from system structure and component charac- 
teristics for each component. Lambert [Ref. 12] discusses 
four measures of event importance which can be computed 
exactly or approximately given a method for computing system 
reliability . 

Needs exist for efficient system reliability computations 
for other uses. Mizukami [Ref. 13] and Derman, et al. [Ref. 
14] , discuss constrained problems of resource allocation with 
the objective of maximizing system reliability such as 

max h (£(y^) ) 

s-t. Z 1 A 

i 
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where is the amount of resource allocated to component i, 
£(y) is an m-vector of failure probabilities of the components 
given y, and h (£(y) ) is the system reliability. Since h(£(y^)) 
is nonlinear, this problem requires a solution using nonlinear 
programming techniques [Ref. 15] . Most of these techniques 
require computation of the objective function gradient at 
each iteration. Each component i in the gradient evaluated 
at y is given by 

p., 3h 3p. 3p . 

w ' ? 3?:^ = |(h(E(jr)|p. =1) - h(E(i) Ip =0)) ^ 

Thus each gradient computation requires 2m computations of 
h (£(y) ) . 

In some binary systems the failures of some of the basic 
components are statistically dependent. In these cases, 
computation of system failure probability requires numerical 
integration. For instance, if components i, j, and k are 
dependent while all other component failure probabilities are 
independent, then system failure probability g (£) can be 
found using 



111 



g(£) 



" ^JJo 9'eI ‘P i ==<i'Pj 



where g(£l(p. =x.,p. =x. ,p, =x,)) is the system failure 

1 1 J J 1C JC 

probability with the probabilities of components i, j, and k 
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fixed, and f(x.,x.,x.) the joint probability density function 

1 ] K 

of components i, j, and k. Numerical integration of this 
function requires many computations of system failure proba- 
bility. The more rapidly that g(p|(p. =x.,p. =x.,p, =x, )) 

1 1 J J K K 

can be computed, the smaller the increments of numerical 
integration can be, and the more accurate g(£) will be. 

Many fault trees used in applications are quite large. 
Arnborg [Ref. 2] states that some of the military models used 
in practice require as many as 100,000 evaluations of fault 
trees containing as many as 1000 basic components to evaluate 
performance over different tactical situations. Reliability 
optimization, numerical integration, and importance determina- 
tion cannot be performed on some of these larger fault trees 
given current methods. It is obvious that a need exists for 
more efficient methods to compute system failure probability 
for binary systems. 

A. DEFINITIONS AND NOTATION 

A fault tree is used to represent a binary system. A 
binary system is a system in which all components and the 
entire system are assumed to be either completely operational 
or completely failed. A binary system is denoted (C,$) where 
C is the set of components and $ is a binary function of the 
component states. Let x^ « {0,1} represent the state of the 
ith component of a binary system with m components. The system 
state is given by $ (x) e {0,1}, where x = (x^^ , X2 , . . . , x^) is 
the system state vector. If x^ = 0, then the state vector x 
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is written (0^,x) where is arbitrary for j i . Setting 
x^ = 1 yields a state vector of (lj^,x). Likewise if every 
basic component i is assigned a probability p^^ , then 
p = (p^ ,p 2 / . . . ,Pj^) is a vector of given probabilities. The 
probability of a system failure is given by g(£), and system 
reliability is given by h(£) = 1 - g(£). If p^ = 0, then the 
vector £ is denoted (0^,£) where p^ maintains its original 
value for all j i. Similarly, setting p^ = 1 yields the 
vector (lj^»£) . 

A binary system can be coherent or noncoherent. A system 
is coheTent if $ is monotonically increasing, and all components 
are relevant. Component i is relevant if $(l^,x) $(0^,x) for 

some value of the state vector x. If the system state is 
constant in x^ for all values of x, then component i is 
irrelevant [Ref. 16: p. 6] . 

Fault trees are the most commonly used models of binary 

systems. A fault tree is denoted F = (E,L) where E is the set 

of events, and L is the set of links. An event e. e E is a 

1 

pair e^ = (v^,t^) where v^ e V is the event vertex and t^ e T 

is the event type . Events are connected by links 

= (v^,Vj) e L where the ordered pair (v^,Vj) denotes a 

directed link from e. to e . . Link Jl . . transmits the output 

1 D ID 

from event e^ to the input of event e^ . The out-degree of 

e^^ is the number of j such that (v^,Vj) e L. The in-degree 

of e. is the number of i such that (v. ,v.) e L. 

D ' i' 3' 

Three graphs- derived from F will be useful. H = (V,L) 
is a directed graph with links directed "upward" as in F; 
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H = (V,L) is similar to H but with its links directed in the 
opposite, i.e., "downward", direction; and H = (V,L) is an 
undirected graph where L is L taken as an unordered set. 

A further requirement for F to be a fault tree is that H 
be acyclic and possess a unique vertex for all 

^ Vj in any acyclic ordering of V. In the graph H, 
corresponds to the toy event e^ of F. The state of the top 
event is the system state $(x) . The top event is dependent 
on intermediate and basic events and has out-degree zero. 
Intermediate events (or logic events) are any events with out- 
degrees and in-degrees both greater than zero. A basic event 
represents a system component, and has in-degree zero. The 
number of basic events is m. For now, it is assumed that all 
basic events are statistically independent, randomly occurring 
events . 

For examples of fault tree event types consider a model 
of a complex tactical aircraft. This aircraft is composed 
of many basic components such as electrical generators, 
hydraulic pumps, flight control cables, and others for which 
failures can be assumed to be statistically independent. (For 
this aircraft assume that these components are independently 
powered.) The failures of these basic components are repre- 
sented in a fault tree by basic events. Each of these com- 
ponents is a part of a greater system, i.e., electrical, 
hydraulic, and flight controls, respectively. Failures of 
these sub-systems become the intermediate events of the fault 
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tree. Failures in basic components cause failures in inter- 
mediate components which may ultimately lead to occurrence 
of the top event, aircraft failure. 

In the fault tree each event has a type, t^^ e T. For the 
top and intermediate events, t^ denotes a logic type, e.g., 
AND, OR, while for basic events, t^^ is type BASIC. Any event 
with an out-degree greater than one represents a replicated 
event. The number of replicated events in the fault tree is 
denoted by r. 

Table 1-1 shows the logical operations performed at e^ 
on the events e. linked into e. by the links 1. .. 

1 3 ^ ij 

TABLE 1-1 

Logical Operations 



Logic Event 






Input 






Output 


AND 


X . 
1 


for 


all i s.t. 


(Vi,V.) 


-> 

e L 


n X. 
1 

1 


OR 


X . 
1 


for 


all i s.t. 


(Vi,v.) 


€ L 


1 - n(i -x^) 

i 


K-out-of-N 


X . 
1 


for 


all i s.t. 




-> 

€ L 


(1 for y X. >k 

) i "- 

^ 0 for y X . < k 

V X 



. X 

1 

NOT X. 1 - X. 

1 1 



Logic types included in T are AND, OR, NOT, and (at least) 
K-out-of-N. Other logic types are possible, but these are 
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the most commonly encountered in fault tree models. In fact, 
all structure functions can be represented using only logic 
types AND, OR, and NOT. NOT events will always have an out- 
degree and in-degree of one, and their presence implies a 
noncoherent system. Figure 1-1 displays the symbols for 
events to be discussed in this thesis. This thesis will only 
consider these event types since they are the most common, 
and the algorithm developed using these event types can be 
easily extended to other types. 

An event tree is a generalization of a fault tree in which 
system operation or failure can be represented. Event trees 
representing failures are usually referred to as fault trees. 
There are no structural or computational differences between 
fault trees and event trees, and the term "fault tree" is 
used throughout this thesis. Another representation of a 
binary system which is used is the reliability network . This 
representation is not considered here since it does not lend 
itself to modeling general binary systems [Ref. 17]. 

A module is a set of basic events which behave as one 
event. Consider a binary system (C,<I>) with A c c, and let 
X = • If = $ ' ( <I>" (x^) x^) , for structure functions 

<J> ' and then (A,<I>") is a module [Ref. 16: p. 16]. 

A module in a binary system can often be directly recog- 
nized in a fault tree. Consider the graph H derived from F 
and a specified vertex v^ . If H is connected, and H-Vj is 

disconnected, then v. is a cut vertex, and e. is a cut event. 

D D 
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Figure 1-1 Logic Events 



o 

BASIC 
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H -Vj = {Hq ,H 2 , . . . ,Hj^} , where each is connected for all 
i, but there is no connection between H. and H. for i i , 

1 j ' 

and where contains the vertex corresponding to the top 

event of F. Let = (V^,L^), and = {e^^: e^ = 

for all V. e V.}. Then, F. = (E. +e.,L. u {£, . eL; v, eV.}) 

I 1 1 i] i k] ki 

is an F-module for i = l,2,...,k with cut event e^ . The 

non-null union of any combination of these F^^ is also an 

F-module with cut event e . . 

1 

Consider the F-module F' = (E',L’) in F. Let e^ € E 
be any event connected into the cut event e. by links 
1. . € L. If e. e E' for all i, then e. is an F-module top, 
and F' is a simple F-module . If separated from F, a simple 
F-module with an F-module top has the same properties as a 
fault tree. The cut event of a general F-module may have other 
e. connected into it where e. / E', and therefore does not 
necessarily possess all the fault tree properties. F is 
always an F-module of F. Any other F-module in F is a proper 
F-module . An F-module is trivial if it contains only one or 
more unreplicated basic events plus the cut event. Any F, 
whose only proper F-modules are trivial, is a prime F-module . 

In a graph H, if a maximal set of vertices Vq £ V exists 
such that for every distinct subset of three vertices 
{v.,v.,v, } c \j there exists a path between v. and v. not 
containing v^,, then Vq is a biconnected component [Ref. 18: 
p. 179] . If all paths from any v^ e Vq to any v^^ / Vq must 
pass through the same vertex v^ e Vq for i j , then v^ is 
a cut vertex of Vq . 
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Computation of any problem on a digital computer requires 
time and storage. Let f be some function of the size of the 
fault tree such as f(|E|) or f(|L|). Then let 0(f) be a 
known linear function of f which provides an upper bound on 
some requirement for the problem. 0(f) is the algorithmic 
complexity of the problem for the specific requirement. If 
the requirement is space, then 0(f) denotes the storage 
requirement in terms of the problem size, while if the require- 
ment is time, it denotes the CPU time required in the same 
terms . 

Although not utilized in this study, later reference will 
be made to other fault tree algorithms which utilize cut 
sets and path sets. A cut set is a set of basic events whose 
occurrence ensures occurrence of the top event. A cut set 
is minimal if no event can be removed while still ensuring 
occurrence of the top event. A path set is a set of basic 
events whose nonoccurrence ensures nonoccurrence of the top 
event. iRef. 16; p. 9] (This terminology originates from 
network reliability.) 

B. PROBLEM DEFINITION AND COMPLEXITY 

The objective of this thesis is to develop an efficient 
algorithm to compute g (p) , the probability of the top event 
of a fault tree. It is assumed that a probability p^ for 
each basic event in F is known. However, assignment of a 
probability p^ to a basic event is only correct when certain 
assumptions about the modeled system can be made. These 
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assumptions are valid for the three categories of systems 
described below. 

The first category is the set of non-repairable systems. 

In this case p^ = F^(x) is the probability that component i 
has failed by time x [Ref. 19] . System failure by time x 
then is g(F(x)). A tactical aircraft on a mission is an 
example of a non-repairable system where the interval (0,x) 
represents the time span from takeoff to landing. 

The second category is the set of systems for which com- 
ponent "up" and "down" times form independent renewal processes 
[Ref. 19]. Here, is the component "down" time, and 
is the component "up" time. The probability that component i 
is "down" or in a failed state at a given instant of time and 
the proportion of time that i will spend in a "down" state 
are both given by 



E(D^) 

^i " E(U^) +E(D^) 

An example of this type of system is an electrical power 
generating station which runs continuously. 

The final category of failures is point failures. Point 
failures are realized if a system fails to activate when its 
"on" switch is engaged. In this case p^ and g(£) are simply 
the probabilities that component i and the system, respectively, 
fail to activate. Point failure is a fair assumption for 
modeling the probability that an aircraft to be flown on a 
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mission fails to pass the pre-flight safety checks and conse- 
quently cannot begin the mission. 

Let g(£) denote the probability of the top event in a 
fault tree, and let g^^ (£) denote the probability of occurrence 
of an intermediate event i. In a fault tree without repli- 
cated events, computation of g(£) is easy. Since the top 
and intermediate events are represented by logic events, e^ , 
their probability can be computed directly if the events, e^, 
for all i s.t. (Vj^,Vj) £ L are all mutually independent and 
have known probabilities. The equations used to compute these 
probabilities are found in Table 1-2. 



TABLE 1-2 

Logic Event Probabilities 

Event Type Computation 

AND g^ (p) = n p^ 

OR 9-4 (p) = 1 - n(l -Pj^) 

^ i 

2-out-of-3 9j(p) = P 1 P 2 P 3 (l"Pi)P 2 P 3 ■‘■Pi ^^"P 2 ^P 3 

+ PiP2(l"P3) 

not g^(p) = 1 - p^ 

Hwang [Ref. 20] and Shanthikumar [Ref. 21] provide recursive 
algorithms for general K-out-of-N systems which operate in 
polynomial time. Using these equations g(£) can be found by 
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computing (p) at each logic event from the bottom of the 
fault tree to the top event. This procedure can be used in 
any fault tree without replicated events. Computation of 
top event probability for a fault tree in this case can be 
accomplished in time 0 (|l|) in space 0 (|l|). (Since H is 
assumed connected, |l| ^ |e| - 1, and 0(|E| + |l|) is effec- 
tively 0 (|l|).) Referring to Figure l-2a, F is searched from 
the top event downward, i.e., following H. When an intermedi- 
ate event which has only basic input events is found, the 
probability of the intermediate event is computed, and it 
becomes a basic event. The search continues, gradually 
reducing all intermediate events to basic events in a back- 
tracking procedure until the top event probability is computed. 
These reductions are simple reduations , and a formal algorithm 
to perform them is given in Chapter II. 

The assumption of independence among input events which 
allows simple reductions cannot be made throughout a fault 
tree containing replicated events. Any two events e^ and e^ 
which are on separate directed paths from the same replicated 
event ej^ cannot be assumed to be independent since the states 



of e. and e. both depend on e. 



Replicated events complicate 



1 - -j - 'k' 

the computation of top event probability. In fact, Rosenthal 
showed the problem of computing g(p) for a fault tree F 
containing replicated events to be a member of the class of 
nondeterministic polynomial hard (NP hard) problems [Ref. 22]. 
Consequently, no algorithm exists or is likely to be developed 
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yf / \ \\ 

do o o oo 



a. Without Replicated Events 




Figure 1-2 Fault Trees 
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to compute g(£) in time bounded by a polynomial function of 
the number of events [Ref. 23: p. 113]. The best known upper 
bound on time for any algorithm to solve g(£) is an exponen- 
tial function of the problem size. The best known bound on 
space, however, is polynomial. 

Despite the inherent exponential complexity of the prob- 
lem, it is still possible to exactly compute g(£) for many 
moderate sized fault trees. It is the purpose of this study 
to take advantage of structural properties of fault trees 
to extend the range of problems for which exact probabilities 
can be computed. The method described for use in a fault 
tree with no replicated events will be useful as a subroutine 
in a more general algorithm. 

C. COMPUTATIONAL METHODS 

Several different exact and approximate methods for 
probabilistic analysis of fault trees have been developed 
for fault trees with replicated events. Most of these methods 
ignore the topological structure of the fault tree while rely- 
ing on cut set enumeration to compute g(£). Because of the 
inefficiency of these methods, exact values of g(£) are not 
computable for large systems and must be approximated by use 
of upper and lower bounds or Monte Carlo simulation. 

1 . Existing Methods 

Current methods for computing g(£) for binary systems 
represented as fault trees can be placed into two categories, 
those using cut sets and those not using cut sets. Methods 
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which use cut sets include "inclusion-exclusion" [Ref. 24: 
p. 98-101] , "sum of disjoint products" [Refs. 25,26J , and 
"ZH" [Ref. 27]. A common requirement of these methods is the 
enumeration and storage of all cut sets. The number of cut 
sets in a binary system can be exponential in the size of 
the system. Therefore, for a large system these methods may 
be limited to approximations for g(£). Using the inclusion- 
exclusion and sum of disjoint products methods the generation 
of all terms needed for computation of g(£) is exponential 
in the number of cut sets. Consequently, for both of these 
methods the complexity is exponential on an exponential 
function of the problem size. Most methods which depend on 
cut sets never take advantage of the structure of the systems 
they model, such as the presence of modules or other simpli- 
fying properties, and, consequently, are guaranteed to always 
require large amounts of time and space to compute g (£) . 

Zn, which locates independent blocks of cut sets and evalu- 
ates them separately, can achieve exponentially better effi- 
ciency than the sum of disjoint products methods. 

Two methods which do not use cut sets are "RAFT F77" 
[Ref. 28] and "reduced state enumeration" [Ref. 2]. These 
methods are based on the fault tree model of a binary system. 
RAFT F77 removes all replicated basic events by conditioning 
and then uses simple reductions to compute g(£). This method 
does not allow replicated intermediate events, and is 
guaranteed an actual complexity factor which is exponential 
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in the number of replicated basic events. Reduced state 
enumeration enumerates the states of each replicated event 
e^^ over any cut event e^ . Reduction is achieved since the 
states of all e^^ below e^ can be replaced by the states of 
Oj in an expression for the states of some e^^ above e^ . 

This method is only useful, however, when no prime F-modules 
of the fault tree contain a large number of replicated events. 

Of the methods discussed above only PAFT F77 takes 
advantage of topological reductions and then only in a crude 
manner. This thesis applies probabilistic structural reduc- 
tions to fault trees. Although theoretical complexity remains 
exponential in the number of replicated events, actual com- 
plexity will be reduced by these reductions. 

2 . Recursive Pivotal Decomposition 

Let g(F) denote the system failure probability for 
a particular fault tree F. If F has no replicated events, 
g(F) may be computed by repeated application of simple reduc- 
tions. When F is reduced to a single basic event e^ , 
g(F) = Pj . If, after all simple reductions have been made, 

F is not reduced to a single event, some replicated basic 
event e^ must remain. From the theorem of total probability, 
for any remaining basic event e^^ 

g(p) = Pj^g(l^,p) + (1 -Pj^)g(0^,£) 

for a binary system. This is the equation for pivotal 
decomposition. For a fault tree the equation becomes 
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g(F) = p^g(F|x^=l) + (1 - p^) g (F I = 0) 



= Pj^g(F^) + (1 -p^)g(FQ) 



where F^^ is a fault tree derived from F given that e^ has 
occurred, and Fq is a fault tree derived from F given that 
e^ has not occurred. If simple reductions completely reduce 
Fj^ and Fq , then g(Fj^) and 9 (Fq) are computed, and g(F) can 
then be computed. If not, events in F^ and/or Fq are selected 
for conditioning, and the procedure is repeated recursively 
until all failure probabilities can be computed through simple 
reductions or until conditioning implies g(F, |x.) = 0 or 1. 
Figure 1-3 shows a recursive decomposition of a fault tree F. 

Recursive pivotal decomposition is further enhanced 
by identification of proper F-modules. If simple reductions 
fail to reduce F to a basic event e^ , then F may contain a 
non-trivial F-module F'. If F' is a simple, proper F-module 
with module top e^ , then pivotal decomposition may be applied 
to compute g(F‘ ) . F can then be replaced by F - F' +e^ where 
tj = BASIC, and p^ = g(F'). Using this modularization an 
exponential reduction in computation can be achieved, especially 
when repeated on recursively produced fault trees. 

For small fault trees pivotal decomposition may be 
repeated quickly to compute g(F) for different values of p 
when necessary as in the constrained reliability maximization 
problem. For moderate to large-sized fault trees it may be 



26 




Figure 1-3 Pivotal Decomposition 




possible to use pivotal decomposition to compute g (F) once 
in a reasonable amount of time but not multiple times. In 
this case it is possible to perform the simple reductions and 
pivotal decomposition on F without actually computing the 
probabilities in the process but, instead, saving each equa- 
tion which would have been used to compute probabilities. 

When F has been completely reduced, the saved equations form 
an expression for g(£) . This expression may now be used for 
rapid recomputations of g(£) without much of the work asso- 
ciated with the original fault tree algorithm. 

Assuming that only replicated events are conditioned, 
time complexity for pivotal decomposition combined with 
simple reductions is 0(2 ^|l|) for g(F). This is true since 
r is the greatest recursion level ever required to condition 
r replicated events. The time complexity of the expression 
g (£) will be identical to that of g(F) since g(p) will 
merely execute the computations produced in equational form 
by g(F). Actual time savings will, however, be realized by 
execution of the expression g(p) since building, storing, 
and reducing the structure of F is unnecessary. The space 
complexity of storing one fault tree is 0 (|l|). For each 
step of conditioning, two different reductions must be per- 
formed on the same fault tree. To do this a copy of the cur- 
rent fault tree must be created and stored until it has been 
completely reduced. At the rth level of recursion, r copies 
of the fault tree are being stored. Consequently, the space 
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complexity for g(F) is 0(r|L|) . Space complexity for 
storage of the expression g(£) is proportional to the 
time complexity of g(F). 

Improvement of the actual time required to compute 
probabilities over existing methods will be attempted by 
taking advantage of fault tree structure, modularizing when 
possible, and exploring the use of some heuristics for 
intelligent conditioning. 
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II. ALGORITHMS 



The main algorithm performs recursive pivotal decomposi- 
tion combined with simple reductions on a fault tree. The 
main features of this algorithm and its supporting elements 
are presented in this chapter. F will be used to denote a 
fault tree with a probability assigned to each basic event. 
For notational simplicity let |f| denote |e| for F = (E,L). 

A. FAULTTREE 

Faulttree is the primary algorithm used in this thesis. 
(See Figure 2-1.) The argument F is a simple F-module . In 
the first call to Faulttree, F is the original fault tree, 
but in all subsequent calls it is an F-module. (It will not 
necessarily be a proper F-module.) Faulttree receives F as 
an argument and returns the F-module top and its probability. 

Sreduce performs all possible simple reductions on F, 
and if it reduces F to a basic event, Faulttree is finished. 
Otherwise, Faulttree will carry out further reductions using 
recursive pivotal decomposition. Findmodule searches for and 
returns a simple F-module F^ in F. Also returned is e^ , the 
F-module top. If no proper, simple F-modules exist, F^ = F. 
Fj^ , a copy of Fq , is produced so that two fault trees can be 
conditioned. At the end of the "if" block Fq remains in F 
but as a basic event with probability given by the pivotal 
decomposition computation. The comments "{diommy 1}" and 
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algorithm Faulttree (F) ; 

input: A fault tree or simple F-module F with associated 

basic event probabilities 

output: The top event of F-module top e . of F and its 

probability ^ 



begin 

While ( I F I >1) do 
begin 

(F,p) Sreduce (F) ; 

if v|f| =1) then Return (F,p) 

else 

begin 

(F^,ej) Findmodule (F) ; 
e . Select (Fq) s.t. t. = BASIC; 

Fi Copy (Fq) ; ^ 

(Fi,pi) Condition (Fi,ej^,l); 

if (|Fi| >1) then (e./p-,) Faulttree (F, ) 

{ dummy 1 } ; ^ 

(Fq/Pq) Condition (Fof6j^,0); 

if ( I Fq I >1) then (ej,po) ■<- Faulttree (Fq) 

Pi ^ PiPl + (1 - Pi)Po'* 

{ dummy 2 } ; 
tj BASIC; 



end; 

Return (F, p . ) 
end; ^ 



Figure 2-1 Faulttree 



"{dummy 2}" mark the spots where equation print statements 
can be inserted. This cycle of Sreduce, Findmodule, and 
pivotal decomposition on an F-module is continued until all 
F-modules are completely reduced. 

Significant reductions in actual run times should be 
realized through the use of modularization. If a simple F- 
module can be located with s replicated events in a fault 
tree with r replicated events, then reduction methods 
can be applied to the F-module alone. After reducing 
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the F-module to a basic event, reductions continue on the 
remainder of the fault tree. Using these methods the original 
complexity factor of 2 reduces to 2 + 2 . By searching 

for F-modules and independently reducing each one, much time 
is saved. 

Actual storage requirements can be expected to be well 
below the upper bound of 0(r|L|). Actual storage could only 
be this large if at each level of recursion during pivotal 
decomposition a copy of the original fault tree must be made. 
This cannot happen since at least one and frequently many 
events are removed at each conditioning step, thus gradually 
reducing the size of the fault tree as the level of recursion 
increases. Additionally, these operations are being performed 
on F-modules. Whenever a proper F-module is found, the size 
of the copy to be produced and stored is reduced. 

1 . Sreduce 

This algorithm is sufficient for completely reducing 
F if it contains no replicated events. Sreduce is shown in 

• 4 — 

Figure 2-2. Sreduce does a depth first search in H to find 

any event e^ with only unreplicated, basic events directly 

below. When such an e . is found it is reduced to a basic 

D 

event, gj (p) is computed, and all of the unreplicated, basic 
events can be disposed. As the algorithm backtracks to the 
top event, each F-module which has no replicated events is 
reduced to a single basic event. Upon leaving Sreduce, the 
only remaining, non-trivial F-modules in F contain replicated 



32 



algorithm Sreduce (F) ; 

input: A simple F-module F with associated basic event 

probabilities 

output: If fully reduced, the F-module top with its proba- 

bility. Else, a partially reduced F 



begin 



for all ej^ 6 E mark ej^ "reducible"; 
put module top of F on stack; 
while stack not empty do 
begin 

let ej be the top element of the stack; 

For each untraversed 2.ji e £ do 
begin 

traverse ilji; 

if ej_ replicated then mark ej "irreducible" 
if ej^ "reducible" and not BASIC then put e. 

on stack and let e. -^e.; 
end; ^ ^ 

remove ej from stack; 
if ej "reducible" then 
begin 

Pj gj (p) and mark ej BASIC; 

{dummy 3T; 
end; 

else mark top element of stack "irreducible"; 
end; 

if (|f| = 1) then Return ( {e .,(})} ,p . ) 
else Return (F , undefined) ^ ^ 



end , 



Figure 2-2 Sreduce 

events. "(dummy 3}" is a marker for inserting the print 
statements for g^ (p) . The time complexity of a call to 
Sreduce is 0 (|l|). 

2 . Findmodule 

Thiis algorithm is a modification of Hopcroft's [Ref. 
18 :p. 185J depth first search for biconnected components. 

The search for biconnected components is effectively carried 
out in H -V^ where H is derived from F, after performing all 
possible simple reductions, and is the set of unreplicated 
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basic event vertices. As a result only F-modules containing 
at least one replicated event are found. Although Findmodule 
locates any such F-module, it returns only simple F-modules 
to Faulttree. If a located F-module is not simple, Findmodule 
will restructure it into a simple F-module with an F-module 
top or perform some other type of restructuring before return- 
ing it to Faulttree. These special restructuring procedures 
are described in Section C of this chapter. The time complex- 
ity of this routine is 0 (|l|). Findmodule terminates as 
soon as an F-module is located. 

3 . Conditioning 

Great reductions in computation can be obtained by 
selective conditioning in Faulttree. After locating an 
F-module F, a replicated basic event e^^ is selected for 
conditioning. "Condition" is a procedure for making the 
associated reductions in F and is shown in Figure 2-3. 

Condition also uses a depth first search, but from 
the replicated event outward, transmitting the effect of 
conditioning on the replicated event to other events in F. 

The search is conducted in (E,L uL) since other events both 
above and below an event to be removed may also be determined 
to be removable. Condition is configured for AND, OR, NOT, 
and 2-out-of-3 gates. However, addition of other types is 
easy. Any event to be removed from F is placed into the 
stack. When event e^ is removed from the stack, an outward 
search is conducted to find any other events to remove from 



34 



procedure condition (F,ej^,x); 

input: A simple F-module F, a basic event e. to condition, the 

state of the condition x ^ 

output: If fully reduced, the F-module top and the state of 

the top event. Else, a partially reduced F 



begin 



end . 



put ej^ on stack; 
while stack not empty do 
begin 

remove ei from stack; ^ 
for all e.: s.t. e L do 

begin ^ 

if ((in-degree (e^) =1) or ((t. =0R) 
and (x =1T) or ( (t . =aSd) and 
(x = 0 ) ) ) then ^ 

begin 

if (ej = module top of F) then 

Return ( { e j , <J> } , x) ; 

put e. on stack; 

if tj^= NOT then x 1-x; 

end 

else 



for all 



if ti = 
dispose 
end 



begin 

dispose 

if (tj = 2-out-of-3) then 

if (x =1) then tj = OR 
else t . = AND; 
end ^ 



end 

e j s.t. I . . € L do 
begin 

if ej unreplicated 
else dispose I . . 
end 

NOT then x -f- 1-x; 

e . 

1 



than put e^ on stack; 



Return (F , undefined) 



Figure 2-3 Condition 



F. If events are not to be removed, their links to e^ are 
disposed. An event which is unreplicated and connected into 
e^ from below will be placed into the stack for removal from 
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F. The search looks upward from e^ to events e^ for all 
e L and performs logic checks. For example, if the 
state variable x = 1, and tj = OR, then e^ is placed into the 
stack. NOT events change x to 1-x. 2-out-of-3 events are 
transformed into AND or OR events depending on the current 
value of X. If the search reaches the F-module top of F, 

F is returned as a basic event with p = 0 or 1. If the F- 
module top is not reached in the search, F is returned, 
partially reduced from the form of the original argxament. 

The time complexity of this search is 0 (|l|). 

4 . The Select Procedure 

Printed equations can be used for multiple executions 
of top event probability computations. In this case, condi- 
tioning on basic events so as to minimize the number of 
equations written will enhance efficiency even if the running 
time of Faulttree is increased. One way to do this is to 
develop a "good" procedure for selecting a replicated event 
e^ to condition. Various heuristics are possible such as 
choosing the e^ with greatest out-degree or the greatest or 
least distance from the cut event. These qualities can be 
determined with a routine in 0(|L|) time. A theoretically 
stronger heuristic is 



min (max | R . | ) 

where E is the set of replicated basic events in F, J the 

I\ 

set of biconnected components remaining in the two fault trees 
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after conditioning e^, and the set of replicated events 
in biconnected component j . A "select procedure" was imple- 
mented to perform this. The procedure conditions on e^ 
using the algorithm Condition and creates the two fault trees 
Fq^ and Next, a depth first search is conducted in Fq^ 

and F^j^, counting the replicated events |R.| in each bicon- 



nected component j. The biconnected components of H|x^ 

correspond to prime F-modules in Fjx^^ and to components which 

will become prime F-modules after recursively reducing current 

F-modules. The maximum | R ^ | found in the two depth first 

searches of F^ • and F, . is saved for each e. . These steps are 

repeated for all e^ e and that e^ that minimizes | R j | 

is chosen for conditioning. This heuristic myopically mini- 

mizes the upper bound factor max 2 over all F-modules and 

jeJ 

components which will become F-modules. 



B. FAILURE PROBABILITY FUNCTION 

A second version of Faulttree was modified to print a 
set of equations which represent the failure probability 
function g(p). All algorithms remain the same except that 
probability computations are replaced with "print statements." 
These statements are inserted in Faulttree and Sreduce in 
the spots marked by "dummy" comments. Since numerical compu- 
tations are correctly ordered, so must be the printing of 
the equations. Faulttree must create an extra variable and 
print an equation for storing the probability of the top 
event for F^^ since its normal storage space will be overwritten 
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by the probability of the top event for Fq . "Dummy 1" is 
replaced by a statement to print the equation which stores 
the conditional probability in this extra variable. The 
pivotal decomposition equation is printed by a statement in 
the line marked by "Dummy 2." Table 2 shows the statements 
to be substituted for "Dummy 1" and "Dummy 2" in Faulttree. 

TABLE 2 

Printing Equations 

Block Statement 

Dummy 1 XP[j] :=P[j] ; 

Dummy 2 P [ j ] :=P [i]*XP[j] +(l-P[i])*P[j]; 



In the table, j is the index of the F-module top while i is 
the index of the event conditioned. In Sreduce "Dummy 3" 
is replaced by a statement giving the equation for g^ (p) . 

In this case, the printed statement assigns a value to 
"P[j]" by writing on the right hand side of the equation a 
function of the basic, unreplicated events. The function to 
be printed is dependent on t^ and is taken from Table 1-2. 

Although execution of g(p) is 0(2 ^|l|) just like the 
computation of g(F), actual time should be much less. Storage 
is also 0(2^|L|), an increase from the storage required for 
direct computation of g(F). Storage of variables in g(£) is 
only 0(r+N) . Recall that r is the number of replicated 
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events which also yields the maximum level of recursion, and 
N is the total number of events in the fault tree. The r 
term results from creating an extra variable at each level 
of recursion to store conditional, top event probabilities. 

The number of equations written is directly related to the 
time complexity of computing g(F) . The total storage require- 
ments are therefore of the same order as the time complexity 
of Faulttree, i.e., exponential. In practice, it is hoped 
that the number of equations produced is small enough that 
they can be evaluated efficiently. 

C . ENHANCEMENTS 

Proper application of Faulttree requires that F, whether 
an F-module or a fault tree, possess the properties of a 
fault tree. A general F-module does not necessarily meet 
this requirement while a simple F-module always does. Two 
enhancements to Findmodule, "event splitting" and "recon- 
figuration," are methods of dealing with non-simple F-modules . 
Event splitting can be applied to an F-module with a cut 
event of type AND or OR while reconfiguration is used for a 
cut event of type 2-out-of-3. The last enhancement reduces 
the number of equations produced by handling some simple 
reductions implicitly. 

1 . Event Splitting 

When Findmodule locates a simple F-module F' with its 
F-module top ej^ , F' and ej^ are returned immediately to Fault- 
tree. If F' is not simple, and t. = AND or OR, then event 
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splitting may be applied. Since F' is not simple, e^ / E' 

must be linked into e^ by / L'. "Split" into two 

events e^^ and e^^ such that t^, ~ ~ ^k' ^^ik ^ ~ ^^ik 

^ik ^^ik ^ ~ ^^ik* ^ik ^ ^k k * ^ simple 

^ 2 ^ 12 

F-module F is formed by F = F' -e^^ +ej^ where ej^ is the 

yN 1 1 

F-module top. Findmodule returns F to Faulttree. Event 
splitting works since 



n X2 n , . . . , n = x^ n n Xj^^2 n , . . . , n x^^) 



for 



Xq = x^ n X2 n , . . . , n Xj^ 



and since 



u X, 



U X 



n 



= X,, u (x 



k+1 



U X 



k+2 



"n> 



for 



Xq = x^ u X2 U , . . . , u Xj^ 

Figure 2-4 shows the structural changes made to the fault 
tree by event splitting. 

2 . Reconfiguration 

For a cut event e^^ of F-module F' with t-^ = 2-out- 
of-3, three events e^ are linked into the cut event ej^ of 
F'. H' is a biconnected component of H (ignoring unreplicated 
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Figure 2-4 Event Splitting 
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basic events) with cut vertex Vj^ . If F' is not simple, then 

since Vj^ e H ' exactly two of the e^ e E', leaving one 

e. / E' . Let the two events in E' be denoted e. and e. and 

^ ^1 ^2 

let e. / E' be denoted e. . The possible states of the pair 
1 

{e. ,e. } are (1,1), (1,0), (0,1), and (0,0) of which (1,0) 

^1 ^2 

and (0,1) are indistinguishable to ej^. F' will be replaced 

by ej^ and two basic events which will give an equivalent 

representation of the probability information stored in F'. 

To compute the needed probabilities a new top event e^ 

independent of F is created. The links Z. , and £. , are 

1 ^ 2 ^ 

removed, disconnecting F' -e, from F. Links Z. . and Z. . 



^1^ 



I2D 



are formed to connect F' -e, to e . via the pair {e. ,e. } 

forming the new fault tree F. For e. e E let t. = AND and 

3 3 

call Faulttree to obtain 



(1,1) = (g.(£)|t. = 



= AND) 



Let t . = OR and call Faulttree to obtain 
3 



P( (1,1) u (1,0) u (0,1) ) = (g^ (p) 1 1^ =0R) 



is given a new event type which denotes a "reconfigured" 

event with nonhomogeneous inputs. Two new basic events e» 

x-1 

and e„ are attached into e, by Z t.,Z , e L. p. = P(l,l) 

X/ 2 ^ X/ 2 ^ ^ 

while p. = P((1,0) u(0,D) given by 
^2 



P((1,0) u(0,D) = P((l,l) u (1,0) u (0,1)) - P(l,l) 
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F 



Future computation for 9j^(£) will 



= F-F' +e, +e, 



+ e, 



use 



= Ptj 

Figure 2-5 exhibits the resulting structural modification 
to the fault tree. 

3 . Replacement 

Another enhancement made was a change to Sreduce. 
Instead of computing g^ (p) for a logic gate e^ with only a 
single basic event e^ below, e^ can simply be replaced by e^, 
i.e., e^ -f- e^^, p^ p^^, and dispose e^^. This is especially 
helpful in forming the expression for g(£) since one equation 
is eliminated each time this reiptaoement is made. 
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Figure 2-5 Reconfiguration 



Ill . 



IMPLEMENTATION AND COMPUTATIONAL RESULTS 



The computer codes for all programs are written in 
Berkeley 3.0 Pascal to take advantage of the recursive feature 
of this language. All tests on these programs were conducted 
on a VAX 11/780 computer under the Berkeley 4.0 Unix operating 
system. The main algorithm of the previous chapter was 
transformed into the dual purpose program "Faulttree" which 
can be used to directly compute g(F) or produce a subroutine 
containing the equations for g(£). 

A. DATA STRUCTURES 

The data structure used to represent the fault tree is 
effectively (E,L u L) . That is, both upward and downward 
pointing links are maintained out of each event. Some storage 
could have been saved using only (E,L) and creating L when 
needed, but this would have greatly increased the complexity 
of the program. Maintaining both L and L allowed flexibility 
for the various types of searches conducted in F during reduc- 
tions and other operations. A depth first search using (V,L) 
is performed in the simple reduction subroutine "Sreduce," 
a depth first search using (V,L u L) is performed in the 
subroutine "Condition," and a depth first search using (V,L) 

— >■ -i— 

is performed in the subroutine "Findmodule" where (L u L) 
is used to simulate L. The use of (V,L) was especially 
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convenient in Condition. This allowed a depth first search 
to remove events by starting at the basic event being con- 
ditioned rather than beginning the search at the top event 
which would require more time. 

Because pivotal decomposition and other algorithms used 
deal with dynamic fault trees by restructuring and making 
reductions, the internal data structure for the computer 
program should facilitate changes to F. This facilitation 
was accomplished by the use of linked lists to represent 
the events and links of F. Two features available in Pascal 
which were useful for storing these linked lists are "records" 
and "pointers." Two types of records were designated event 
records and link records, A record allows the storage of 
different data types within a single entity. Integers, reals, 
arrays, and other types can be stored simultaneously in each 
record. Two pointer types were designated event record 
pointers and link record pointers^ The pointers were used 
to connect events and links in the computer representation 
of the fault tree, and were also used to move from one event 
to another during searches through F. 

Tables 3-1 and 3-2 list the information stored in event 
and link records. 

An event record is created for each e. in F. Each event 

1 

record has an up pointer and a down pointer . The up pointer 
points to the first link of a set of links equal in number 
to the out-degree of e.. Each link is connected to the next 
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TABLE 3-1 



Event Record 



Variable 


Data Type 


identity 


integer 


type 


integer 


up pointer 


pointer to link 


down pointer 


pointer to link 


probability 

(optional) 


real 



record 

record 



TABLE 3-2 
Link Record 



Variable 
event pointer 
next link 



Data Type 

pointer to event record 
pointer to link record 



link by the variable next link. Every link in the data 

structure points to an event record via the variable event 

pointer . The event records pointed to represent the e^ 

which are linked from e. by {2,. 2. . . e L} . The down pointer 

1 ID ID 

points to the first link of a set of links equal in number 
to the in-degree of e^. These links are joined to one another 
in the same way, and each points to an event record repre- 
senting an ej^ which is linked into e^ by e L} . 

Figure 3-1 gives a visual representation of this structure. 
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Figure 3-1 Linking of Events 
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Because of this data structure, it is easy to change the 
fault tree during a search. Reductions can be made by delet- 
ing a link and reconnecting the links on either end of it, 
or by setting pointers to "nil." Event types or identifications 
can be changed or newly computed basic event probabilities 
stored. (Probabilities only need to be stored in event 
records when direct computation of system failure probability 
is performed.) 

B . PROGRAMMING 

Another feature of Pascal which was useful was its ability 
to call procedures recursively. This capability was used 
for pivotal decomposition so that recursive calls could be 
made in the program Faulttree until F was reduced completely. 
Although recursion could have been used in some subroutines, 
it uses more time and storage [Ref. 29: p. 300] than non- 
recursion and therefore was used only for pivotal decomposition. 

In Pascal, records may be created and destroyed over the 
course of a program so that storage is only used when needed. 
This can be accomplished by use of the embedded functions 
"new" and "dispose." Some conservation of storage must be 
utilized in Faulttree when solving any large problems. Using 
new when making a copy of F and dispose during the reductions 
on F is one way to conserve storage. This way is time con- 
suming, however, since invoking new, slows the program, and 
extra searches which would otherwise be unnecessary are re- 
quired to reach all events and links for disposals. To 
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minimize storage and time concurrently, two arrays were 
created at the beginning of the program, one to store event 
records and the other to store link records. All records 
needed for the entire program are created and placed into 
these arrays. Records are re-used from these arrays by saving 
the index of the last record currently in use. Whenever a 
new record is needed it can be taken from the next point in 
the array beyond the index. Prior to making a copy of F in 
Faulttree, the current value of the index is saved in another 
variable. This copy of F is then produced, increasing the 
index value. The copy is passed as an argument to Faulttree. 
Upon return from Faulttree the copy is no longer needed, and 
the index can be reset to its prior value. Meanwhile, as 
reductions are made in Sreduce and Condition, the program 
effectively "burns bridges" by setting pointers to nil where 
events beyond these pointers are to be removed. 

F-modules are dealt with directly without being discon- 
nected or removed from F. Faulttree and its subroutines pass 
arguments in the form of F-modules. This is actually accom- 
plished in the program by passing a variable containing a 
pointer to the F-module top. The subroutines treat the F- 
module as a fault tree by never searching above the F-module 
top . 

In the subroutines Sreduce and Condition, some sections 
of the code were written in block format. That is, sections 
of code can be removed or inserted depending on the event 
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types to be represented in the fault tree. These blocks will 
make it easy to modify this program for use of other specific 
event types by insertion of the proper blocks of code. 

C. INPUT AND OUTPUT 

The input for Faulttree is a data file describing F. 

The first line of the data gives integer values for the number 
of events and the highest event identification number. The 
remainder of the file gives the detailed event data. Each 
event occupies two lines of the file. The first line gives 
three integers: event identification, event type, and number 

of events directly below. The second line lists the events 
below by identification or gives event probability for a basic 
event. Figure 3-2 is a sample input data file. 

Faulttree outputs either the system failure probability 
or a set of equations forming an expression for g(p) . This 
expression is in the form of a three part Pascal program 
"FTE" (Fault Tree Expression) . Faulttree prints the heading 
"FTE-heading" and a subroutine "TEP" (Top Event Probability) 
for FTE while the main program "FTE-main" is kept permanently 
on file. TEP contains the equations which are printed by 
Faulttree in reducing F. It is configured to receive the 
argument p from FTE-main and return g(p). TEP and FTE-main 
use variables and arrays declared in FTE-heading. FTE- 
heading is printed by Faulttree after reductions on F are 
complete. Two arrays are declared in the heading. The 
primary array has a component for each event in F plus any 
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Figure 3-2 Sample Input Data File 



other dummy events which may have been created during event 
splitting or reconfiguration. The secondary array is used in 
pivotal decomposition to store the conditional probability 
for an event while a probability is computed for the same 
event given the opposite condition. The size of this array 
is no greater than the deepest recursion level of Faulttree. 
The heading is printed after TEP since array sizes for FTE 
are not available in Faulttree until F has been completely 
reduced. FTE-main is a routine which reads p from the input 
data file and invokes TEP to compute g(p). When FTE-heading, 
TEP, and FTE-main are combined to create FTE, FTE is ready to 



52 



be compiled and executed. FTE reads from the same data file 
that Faulttree reads but only extracts the values for p in 
the process. FTE outputs the probability of the top event 
but can be usefully configured to compute event importances 
or perform other computations which require g (£) . 

D. PROGRAM TESTING 

Faulttree was tested on four fault trees, two of which 
are hypothetical, "Exampl" and "Examp2 , " and two of which are 
actual models of systems used in practice. One system, 
"Aircraft," represents the combat attrition of a single 
aircraft while another, "Nuke," represents a nuclear reactor 
accident. Input data files were created for the four fault 
trees, and Faulttree was executed for each to directly com- 
pute g(F). Faulttree was again executed for each data file 
to produce four versions of FTE. Descriptions of the fault 



trees and data from 


test runs 


are given 


in Table 3-3. 
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Test 


Runs 








Exampl 


Examp 2 


Aircraft 


Nuke 


events 


64 


79 


105 


339 


rep. events 


7 


15 


4 


59 


CPU time 


0.001 


0.371 


0.001 




events stored 


112 


330 


178 


2586 


FTE equations 


36 


102 


51 


153,733 


FTE CPU time 


0.000 


0.033 


0.000 
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Nuke, described in the table, is actually a revised version 
of the original data. The original data contained 345 events 
of which 65 were replicated. Further explanation of the 
modification of this data is given below. 

The table gives CPU time in seconds. All CPU times 
reported in this thesis exclude time required for input/output. 
As a measure of storage the maximum number of event records 
needed to compute each problem is included as "events stored." 
Also, the n\amber of equations printed into FTE is listed. 

For all of the fault trees except Nuke, FTE was successfully 
compiled and executed, computing the system failure proba- 
bility in less time than required by Faulttree. The times for 
execution of FTE are given in Table 3-3 in the row denoted 
FTE CPU time. 

Initial tests on Nuke were made using the original data 
file. The first solution attempt for direct computation of 
g(F) required more than five hours of clock time for Fault- 
tree during a low utilization period on the VAX. Exact CPU 
time was not determined. When Faulttree was reexecuted to 
produce FTE, over 600,000 equations were printed into TEP. 

This subroutine was too large to be compiled. Further tests 
were conducted with this data alone with the objective of re- 
ducing the number of equations being printed. First, data 
was generated from Faulttree to see what size modules were 
being located and to determine the extent of the reductions 
being accomplished by pivotal decomposition. It was found 
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that after the first call to Sreduce, which removed only 
six events, the fault tree was a prime F-module with all 65 
replicated events and 339 of the original events still intact. 

Several successful and unsuccessful techniques were imple- 
mented for reducing the size of TEP. The replacement proce- 
dure was implemented in Sreduce, and output was reduced to 
about 425,000 lines. Up to this point, replicated events 
for conditioning had been selected randomly. This worked 
satisfactorily for small problems. Various heuristics for 
choosing replicated events e^ for conditioning were tested 
with Nuke. Three of these which required linear time com- 
plexity were choosing e^ with (a) the greatest out-degree, 

(b) the least distance in links from the top event, and 

(c) the greatest distance in links from the top event. 

Implementation of heuristic (a) reduced output to about 

417,000 lines while (b) and (c) increased the amount of output. 

Next, the reconfiguration procedure was developed, and it 

reduced the output to about 415,000 lines. The heuristic 

for computing min (max | R . | ) for all replicated basic events 
&eER jeJ ^ 

was then added. Tnis enhancement reduced output to 225,000 
lines of output. Finally a crude graphical representation 
of the fault tree was produced with the hope that some visual 
clue might aid selective conditioning. Two sets of four 
replicated basic events were found. Every event in each set 
was linked to the same two intermediate events of four 
intermediate events total. The eight basic events were 
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replaced in the input data file by two basic events after 
hand-computing probabilities for the two new basic events 
based on the union of the four events each one replaced. 
With this revised data, Faulttree produced only 153,733 
equations . 
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IV. RESULTS AND CONCLUSIONS 



Pivotal decomposition has been shown to be a good method 
for computing system failure probabilities in fault trees, 
at least for the problems analyzed here. The basic algorithm 
in conjunction with several enhancements has computed exact 
probability for a fairly large fault tree having 345 events 
with 65 of them replicated. Some of these enhancements 
were key factors in reducing the amount of computation re- 
quired by the basic algorithm. If other methods of reducing 
this computation can be applied to the computer code developed 
in this thesis, this program will be capable of being used 
as a tool in analysis of even larger fault trees. 

A. FINDINGS 

Space complexity was not a limiting factor in solving 
any of these fault trees. The greatest use of storage 
occurred in computing g(F) for Nuke. The total number of 
event records created was less than eight times the amount 
needed to store the original fault tree alone. Since the 
recursion level was noted to exceed 43 at some points during 
execution, the factor of eight is less than might be expected. 
The system storage requirements for a high recursion level 
such as this are probably more significant than the storage 
of problem data. The greatest limiting factor for computing 
probabilities in large fault trees is the time complexity 
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0(2^|l|) which also gives the complexity for the length of 
TEP. In this complexity figure, the factor |l| is insigni- 
ficant. Efforts to reduce complexity must be directed 
toward the factor 2 . The fault tree aspects which most 
influence this factor are the number of replicated events and 
the structural characteristics of the fault tree which allow 
or make difficult its modularization. Even a fault tree with 
a large r value should not be difficult for Faulttree to 
reduce if it has one of the following three properties : 

(a) No prime F-modules contain a large r, (b) r is greatly 
reduced after a few recursions of pivotal decomposition, 
or (c) non-complex F-modules (low r per F-module) begin to 
form after a few recursions of pivotal decomposition. 

Faulttree and FTE have been shown to be useful for the 
three fault trees Exampl , Examp2 , and Aircraft. Faulttree 
computed top event probability in a fraction of a second, 
and FTE used less time. As a test of applicability FTE- 
main was modified to compute Birnbaum importances for every 
basic event in a given fault tree. For each basic event this 
requires two computations of top event probability by TEP. 

The number of basic events and time in seconds to compute all 
their Birnbaum importances are shown in Table 4 for the three 
fault trees. 

Examp2 is the most complex fault tree of the three as 
evidenced by comparing the numbers of replicated events and 
the CPU time required by g(F) for the three fault trees. 
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TABLE 4 



Time to Compute Birnbaum Importances for All Basic Events 

Exampl Examp2 Aircraft 

basic events 34 36 61 

CPU time 0.017 0.067 0.017 

(See Table 3-3.) For Examp 2 , 72 computations of g(p) are 
made in about one-fifth of the amount of time required to 
compute g(F) directly. 

FTE was unable to be tested on Nuke due to the size of 
the subroutine TEP produced by Faulttree. Direct computation 
of g(F) was successful, although it required much CPU time. 

The structure of this fault tree impeded the formation of 
proper F-modules after reductions from conditioning. In fact, 
following as many as five conditionings, no replicated events 
are eliminated except for the one conditioned, and no proper 
F-modules are created. 

Although the version of TEP produced with Nuke is presently 
too large to compile and use, it was reduced in size by more 
than 75 percent from the first execution by several innovations 
which were discussed in Chapter III. The large reductions 
accomplished by the implementation of replacement show that 
there are many instances of intermediate events with only 
one unreplicated basic event below. Although this technique 
was trivially easy to use, it was highly significant in 
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reducing the size of TEP. The addition of reconfiguration 
to the program reduced TEP by less than one percent. This 
may seem insignificant; however. Nuke only has three 2-out-of-3 
events. Of the three, one is reduced and disposed in the 
first call to Sreduce leaving only two in the fault tree for 
pivotal decomposition. Before implementing reconfiguration 
if the cut vertex of an F-module F' £ F was a 2-out-of-3 
event, and one of the events connected into the cut vertex 
was not in F', then F' could not be used but instead served 
to complicate F and impede the computational process. It 
is believed that reconfiguration will significantly reduce 
the actual complexity of any fault tree with many 2-out-of-3 
events . 

The heuristic for selecting events to condition reduced 
the size of TEP by 45 percent. Although this heuristic results 
in increased time complexity for Faulttree, the great reduc- 
tion in the size of TEP is worthwhile. 

It is hoped that pivotal decomposition, combined with 
techniques discussed in this thesis and other techniques, 
will be useful in the analysis of large fault trees. More 
methods of making reductions and locating F-modules exist. 
However, time limitations preclude their application in this 
thesis. It is believed that the addition of some of these 
other methods to Faulttree would greatly increase the range 
of solvable problems. 
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B. SUGGESTED FURTHER RESEARCH 



There are many further enhancements to the pivotal 
decomposition method of fault tree probability computation 
which could increase the usability of Faulttree. 

This thesis used the 2-out-of-3 event to demonstrate how 
techniques for K-out-of-N events can be applied. Specific 
K-out-of-N events would be easy to implement in the existing 
program. Other possible enhancements could be the addition 
of algorithms to compute probabilities of a general K-out-of-N 
event during simple reductions. To be of any practical use, 
this algorithm must handle a set of input events with unequal 
probabilities. In conjunction with this there should be a 
method for reconfiguration of an F-module with a general K-out- 
of-N cut vertex. 

There exist other methods of locating F-modules and 
generalizations of F-modules that can locate more useful 
structures which are overlooked by the depth first search 
method applied here. The method used in this thesis only 
locates an F-module which is attached to the fault tree 
by a cut vertex. Wood [Ref. 30] uses a search for tri- 
connected components in solving network reliability problems, 
and this method could be used to locate F-modules connected 
by separating pairs. Applied to this algorithm for fault 
trees, additional F-modules would be located which aren't 
being located by the present method. For example, the two 
sets of four replicated events which were reduced to two 
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replicated events by hand computation were both examples of 
tri-connected components which would have been detected and 
reduced as F-modules thus reducing the overall problem 
complexity. 

It may be sufficient in many applications to compute 
g(F) approximately or to obtain upper and lower bounds on 
g(F). Corynen [Ref. 26] is able to solve large problems and 
obtains accurate bounds without considering all branches of 
the backtrack search structure. In Faulttree, lower bounding 
could be accomplished by saving the product of the proba- 
bilities of all events which have been conditioned up to 

recursion level k. The most recent value of P, for all k 

k 

is saved so that it is available during backtracking and 
further recursion. When Pj^ < 6 for some small 6 > 0, then 
further recursions are unnecessary since the term in the 
pivotal decomposition algorithm is approaching zero. The 
algorithm can backtrack, and the term associated with the 
current recursion need not be added into the computation 
of g(F). If used, this method removes Faulttree from the 
realm of exact methods, and it might be risky to use the 
resulting expression for computation of system failure proba- 
bility when the p^ values vary over a wide range. 

There is surely a lower bound on the number of equations 
which must be written to give an expression for g(£) for a 
particular fault tree. For some large fault trees the lower 
bound will be too large thus preventing the compilation of 
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the subroutine TEP. In this case TEP can be subdivided into 



multiple subroutines to be compiled separately and linked for 
execution . 

By including some of these suggested additions to the 
work already accomplished, it is believed that Faulttree and 
FTE will be useful tools for fault tree analysis. 
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